F5 BIG-IP Cookie Information Disclosure
Description
F5 BIG-IP load balancers use persistence cookies to maintain session affinity between clients and backend servers. By default, these cookies encode backend server information (IP addresses and ports) in an unencrypted format that can be easily decoded by anyone who intercepts or observes the cookie value. This allows unauthenticated attackers to map the internal network topology and identify backend infrastructure components.
Remediation
Enable cookie encryption for BIG-IP persistence cookies to prevent information disclosure. This can be configured in two ways:
1. HTTP Profile Method: Configure cookie encryption within the HTTP profile by setting the 'Encrypt Cookies' option and specifying a passphrase. This encrypts all cookies processed by the profile.
2. Cookie Persistence Profile Method: Enable encryption directly in the cookie persistence profile by configuring the 'Cookie Encryption' settings with a secure passphrase and appropriate cipher.
Additionally, consider implementing the following defense-in-depth measures:
- Use cookie name obfuscation to make BIG-IP cookies less identifiable
- Implement secure cookie attributes (Secure, HttpOnly, SameSite)
- Regularly rotate encryption passphrases
- Monitor for unusual cookie decoding attempts in security logs
Refer to the provided F5 Knowledge Base articles (K6917, K14784, K23254150) for detailed configuration instructions specific to your BIG-IP version.